b'             Office of Inspector General\n       U.S. Government Accountability Office\n                  Report Highlights\n\nMarch 2012\n\n\nINFORMATION SECURITY\nEvaluation for GAO\xe2\x80\x99s Program and Practices for\nFiscal Year 2011\nWhat We Found\nThe Federal Information Security Management Act of 2002 (FISMA)\nrequires that each federal agency establish an agencywide information\nsecurity management program for the information and information\nsystems that support the agency\xe2\x80\x99s operations and assets. GAO is not\nobligated by law to comply with FISMA or Executive Branch information\npolicies, but has adopted them to help ensure physical and information\nsystem security. Our evaluation showed that GAO has established an\noverall information security program that is generally consistent with the\nrequirements of FISMA, Office of Management and Budget implementing\nguidance, and standards and guidance issued by the National Institute of\nStandards and Technology. However, using FISMA reporting metrics for\nfederal inspectors general, we identified opportunities to improve specific\nelements of this program that concern\n\xef\x82\xb7 addressing information security risk from an overall agency\n    perspective through a comprehensive governance structure and\n    organization-wide risk management strategy,\n\xef\x82\xb7 remediating security weaknesses identified for agency information\n    systems in a timely manner,\n\xef\x82\xb7 building out GAO\xe2\x80\x99s Alternative Computing Facility to fully support the\n    agency\xe2\x80\x99s mission-essential functions in the event of an emergency or\n    disaster, and\n\xef\x82\xb7 developing accurate statistics for employees and contractors\n    completing annual security awareness and role-based training.\n\nA full report on this evaluation was prepared for internal GAO use only.\n\nWhat We Recommend\nThis report recommends that GAO (1) establish a comprehensive\ngovernance structure and organization-wide risk management strategy for\nthe security of its information systems; (2) enhance accountability for, and\nmanagement of, the agency\xe2\x80\x99s information security weakness remediation\nprocess; (3) provide senior management with adequate information to\nconsider and prioritize building out the capabilities of the agency\xe2\x80\x99s\nAlternative Computing Facility; and (4) develop and implement procedures\nfor capturing data that accurately reflect agency compliance with security\ntraining requirements as of the end of each fiscal year. GAO concurred\nwith these recommendations.\n\n\n\n\n                                                  OIG-12-2 Information Security\n\x0c                      To report fraud, waste, and abuse in GAO\xe2\x80\x99s internal operations, do one of\nReporting Fraud,      the following. (You may do so anonymously.)\nWaste, and Abuse in\n                      \xef\x82\xb7   Call toll-free (866) 680-7963 to speak with a hotline specialist,\nGAO\xe2\x80\x99s Internal            available 24 hours a day, 7 days a week.\nOperations\n                      \xef\x82\xb7   Online at: https://OIG.alertline.com.\n\n\n                      To obtain copies of OIG reports and testimony, go to GAO\xe2\x80\x99s Web site:\nObtaining Copies of   www.gao.gov/about/workforce/ig.html.\nOIG Reports and\nTestimony\n\n                      Katherine Siggerud, Managing Director, siggerudk@gao.gov,\nCongressional         (202) 512-4400, U.S. Government Accountability Office, 441 G Street\nRelations             NW, Room 7125, Washington, DC 20548\n\n\n                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800\nPublic Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149,\n                      Washington, DC 20548\n\n\n\n\n                      This is a work of the U.S. government and is not subject to copyright protection in the\n                      United States. The published product may be reproduced and distributed in its entirety\n                      without further permission from GAO. However, because this work may contain\n                      copyrighted images or other material, permission from the copyright holder may be\n                      necessary if you wish to reproduce this material separately.\n\n\n\n\n                             Please Print on Recycled Paper\n\x0c'